The law grants the government new powers to compel software companies to help law enforcement decrypt content, or in extreme cases, develop new technologies to disable or undermine encryption (see Australia Passes Encryption-Busting Law).

It's the latter part that raised the most ire, as technologists worried the government could force software developers to install backdoors into their products. Other parts of the law impose penalties on those who disclose secret government orders to undermine encryption, obscuring public oversight.

But the Coalition government contended it needed the powers over the holiday season, citing possible national security and terrorism threats. Critics contended the vague intimation of a public safety threat was an unjustified scare campaign leveraged to push flawed legislation onto the books.

Critics' Concerns

Among the critics are Mozilla, which said its preference is for the law, formally known as the Assistance and Access Bill 2018, to be "abandoned and annulled." It fears the government could use its powers to single out one employee to compromise the integrity of its systems. That employee would be bound by secrecy and face prison if a legal order were to be disclosed.

That law could force tech companies "to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities," Mozilla says in its submission.

"Australian-based providers of information technology products and services are now regularly fielding questions regarding the impact of the Act on their installed products and in the context of prospective sales engagements."—Senatas

Also weighing in is FastMail, an email provider.

"We have already seen an impact on our business caused by this perception," FastMail says in its submission. "Our particular service is not materially affected as we already respond to warrants under the Telecommunications Act. Still, we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice."

Unfinished Business

Parliament passed the law amidst of flurry of legislative activity at the year's end of its session, with legislators acknowledging that it was problematic but pledging to fix its faults this year. It was a messy end to a contentious debate that drew international attention.

Because of Australia's close partnership with the other intelligence partners including the U.S., Canada, U.K. and New Zealand, there are fears that Australia could become the go-to place to undermine encryption via mutual legal assistance orders.

The legislative debate last year drew international attention. Among the critics outside Australia is Riana Pfefferkorn, an associate director of surveillance and cybersecurity at the Center for Internet and Society at Stanford Law School.

Pfefferkorn filed comments with the Senate committee on Feb. 14. She contends that the secrecy requirements around the law "has caused immediate and ongoing harm to Australia's technology sector (according to industry leaders)."

"It is not publicly known - and maybe never will be - which providers have been served to date with technical assistance/capability notices or requests under the new law, or what the providers have secretly done to their products and services in order to comply," she writes.

Over the past few years, many communications software providers have designed systems that can transmit content that can only be decrypted with private keys held by those communicating. The new law, however, allows Australia to issue a "technical capability notice," which compels a company to build a new capability that would unlock content.

"It is not publicly known - and maybe never will be - which providers have been served to date with technical assistance/capability notices or requests under the new law, or what the providers have secretly done to their products and services in order to comply."—Riana Pfefferkorn

Security experts contend doing so would also create openings for nation-states and cybercriminals, who may discover and take advantage of purposeful weaknesses inserted into software.

Although the government has maintained it wouldn't order companies to build systemic weaknesses, security experts derided the claim as semantic jibberish that is in practice technically unfeasible.

Senatas, an Australian company companies that specializes in encryption, says in its submission that its competitors are leveraging the law to cast doubt on Australian products.

"Australian-based providers of information technology products and services are now regularly fielding questions regarding the impact of the Act on their installed products and in the context of prospective sales engagements," Senatas writes. "The situation is not aided by foreign competitors making use of the media and other material to improve their competitive position."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.